At Modal, a high-availability VPN proxy called vprox was built using Go and WireGuard. This proxy allows containers to funnel outbound traffic through static IPv4 addresses, ensuring consistent source IP addresses for outgoing internet traffic. The proxy uses SOCKS5 proxies initially but later switched to WireGuard, which provides better security and consistency. To configure networking for the proxy, a policy-based routing system was implemented, allowing traffic from one container to go through a designated VPN interface without affecting its neighbors. This setup is essential for multi-tenant Modal workers that run gVisor sandboxes on shared hosts. The proxy server uses sysctl settings to relax reverse path filtering and ensure reliable operation across Linux distributions. The vprox control plane was open-sourced, allowing developers to configure various aspects of the networking system, including IP discovery and client reconnection.